Share

'Secretbook' Lets You Encode Hidden Messages in Your Facebook Pics

What Secretbook looks like after installing it into Google Chrome, loading Facebook and pressing CTRL-ALT-A.

What Secretbook looks like after installing it into Google Chrome, loading Facebook and pressing CTRL-ALT-A.

Facebook is a place where you can share pictures of cute animals and fun activities. Now there's a browser extension that lets you encode those images with secret, hard-to-detect messages.

That's the idea behind Secretbook, a browser extension released this week by 21-year-old Oxford University computer science student and former Google intern Owen-Campbell Moore. With the extension, anyone – you, your sister, a terrorist – could share messages hidden in JPEG images uploaded to Facebook without the prying eyes of the company, the government or anyone else noticing or figuring out what the messages say. The only way to unlock them is through a password you create.

"The goal of this research was to demonstrate that JPEG steganography can be performed on social media where it has previously been impossible," Campbell-Moore tells Danger Room. He says he spent about two months spread out over the last year working on the extension as a research project for the university.

The extension is only available for the Google Chrome browser – Campbell-Moore cites its developer tools and popularity – and the messages are restricted to 140 characters. Less certain is what Facebook thinks; a spokesman declined to comment. But it's still the first time anyone's managed to figure out how to automate digital steganography – the practice of concealing messages inside computer files – through Facebook, the world's biggest social media platform. Unlike cryptography, which uses ciphertext to encrypt messages, steganographic messages are simply hidden where no one would think to look.

For an image, that could be a bunch of pixels or electronic 1s and 0s. In Facebook's case, they can be hidden among the tons of images uploaded to the site daily.

It wasn't easy developing the extension. "Many tools for steganography in JPEGs have existed in the past although they have always required that the images are transmitted exactly as they are," Campbell-Moore says.

The image on the right has been encoded with a secret message.

Photo: courtesy of Owen Campbell-Moore

This could be a single pixel changed to a different color, and then repeated over several images, spelling out a message – which you can't see, unless you have the translation key, and know which pixel to look for. But when you upload an image to Facebook, the image is automatically recompressed, which can lower the image quality. If you've encoded a secret message in the image, Facebook will garble it. Facebook competitor Google+ doesn't do this, so you can share encoded messages there without needing an app for it.

So Campbell-Moore replicated Facebook's recompression algorithm, available in a draft research paper (.pdf). When encoding a message into an image, the extension automatically compresses the image, as Facebook would. Then it makes lots of "very slight" changes to add redundancy. "This minimizes the amount of change it will undergo when they do recompress it, keeping the damage to the secret message low," he says.

"Conceptually, imagine storing the message ten times, each in different sections of the photo before it is uploaded and recompressed," Campbell-Moore adds. "The algorithm can then piece the original message back together correctly, despite each copy stored in the image being slightly damaged."

Secretbook has to be subtle. It uses Google Chrome's web extension platform, since Facebook's in-house apps publicly list their users – which would defeat the purpose of a secrecy tool. Since the extension runs through a web browser without a server connection, the users can't be detected by network analysis. It's also hard for Facebook to block or remove permissions, as the extension doesn't rely on a Facebook API key.

Steganography tools can benefit terrorists as much as they can protect privacy. Campbell-Moore believes steganography certainly can be used by terrorists in a general sense – but terrorists may avoid his method as it's not entirely foolproof. Since the images contain a large number of changes, someone looking for them could conceivably write an algorithm that tracks down manipulated images. That could limit the extension to "hobbyists and researchers," he says, rather than militants, or maybe not.

"A researcher could certainly build a simple system for detecting which images have secret messages hidden in them although they would first require access to all 300+ million photos being uploaded to Facebook every day," Campbell-Moore says. "Which I suspect even the NSA doesn't currently have, and performing detection on that scale would be very difficult."

Another problem he encountered: correcting his algorithms so they don't inadvertently cause changes to the plain areas of some images – which can make the encoded messages easier to detect. Think of a picture of a dog running through grass beneath a cloudless sky. Much better to encode the message in the grass and fur, where there's a lot of complexity, than a much less complex sky.

Campbell-Moore claims to have solved this, after theorizing that difficulties sorting out the complex regions of an image from the less-complex was a major obstacle for why social media steganographic tools hadn't come out sooner. If he's right, get those puppy close-ups ready. There are messages to conceal within them.